DynTek’s Shaun Land shares trends and best practices garnered from working with healthcare CIOs and CISOs on IT Strategy and Security Compliance programs
The relentless wave of cyber attacks against healthcare organizations that began in 2014-2015 did not let up in 2016, and experts predict the onslaught will continue in 2017. Here’s a look back and forward, and recommended resolutions for addressing cybersecurity challenges in the year ahead.
In 2016, hackers diversified their tactics to include not only traditional forms of attack such as data theft and denial of services, but also blackmail and extortion via ransomware.
One of the most notorious ransomware attacks struck in February. Highly publicized, it was waged against Hollywood Presbyterian Medical Center in Los Angeles. Hospital computers were offline for more than a week before hospital executives gave into ransom demands, ponying up $17,000 in Bitcoins for the return of the encryption key.
EHRs (electronic health records) continue to retain high value on the black market. Chock full of portable information that goes through a number of different endpoints, they are predicted to remain a prime target. The growth of mobile devices and IoT-connected devices in the healthcare industry compound the threat.
System outages at healthcare organizations put patient safety and lives on the line — a reason many healthcare organizations choose to pay ransom rather than risk further disruption to operations. Unscrupulous hackers will continue to exploit this reality. Hospital CISOs need to have their guard up at all times.
As ransomware continues to reap big payouts for hackers, attackers will
Although there’s no sure-fire way to stop cyber criminals from launching new attacks, healthcare organizations can resolve to fight them. Here are 5 recommendations:
Start looking at your security system through the eyes of a hacker. Conduct penetration tests to see if your system can withstand an attack. Preferably, tests should be conducted by an outside party. You should also test your disaster recovery plans.
Rather than base cybersecurity investments on cost alone, factor in effectiveness ratings validated by unbiased reviews and evaluations from users and test labs—as well as your own vetting processes.
Although security patches can be time-consuming, failing to patch your systems can result in catastrophe. In fact, the 2016 Verizon Data Breach Investigations Report finds that exploits come out as fast as 10 days after a new vulnerability is found and that 99% of vulnerabilities are exploited more than a year after being published.
Many data breaches rely on social engineering tactics that target employees. Provide ongoing education to your employees about the need to avoid clicking on links and attachments in suspicious emails.
5. Remember, compliance, compliance, compliance.
Health organizations need to keep HIPAA/HITECH and OCR compliance in mind when creating security plans and selecting security solutions. These initiatives require organizations to prioritize a data security strategy, an incident response plan and organization-wide security policies and procedures. In addition, the recently passed 21st Century Cures Act is focused on REQUIRING data sharing for data mining purposes to develop cures for diseases faster. Healthcare organizations need to ensure they have plans in place to store data and share it securely.
Contact DynTek today for help developing and managing your IT Strategy and/or Security Compliance program and solutions.